Patient opt-outs actioned by January

  • 24 November 2015
Patient opt-outs actioned by January
The HSCIC will action patient opt-outs of data sharing on 29 April

Around 700,000 patients who objected to having their identifiable data shared with third parties will have their wishes recognised by January next year, nearly two years after being offered the opt-out.

The Information Commissioner’s Office has found that the Health and Social Care Information Centre has failed to comply with the first principle of the Data Protection Act due to the objections not being enacted for so long.  

A letter from the Information Commissioner’s Office to HSCIC chair Kingsley Manning, included in this week’s HSCIC board papers, says the information centre expects to action the opt-outs by January 2016.

Digital Health News reported in May this year that the HSCIC was “extremely concerned” that 700,000 patient objections to having their identifiable data shared had yet to be enacted.

The objections were registered as part of the launch of the controversial care.data programme, which will extract data sets from different organisations, starting with GP practices, and link them to an expanded set of Hospital Episode Statistics within the 'safe haven' of the HSCIC.

When the programme was launched in February 2014, patients were given the option to ‘opt-out’ in two different ways.

Under the type 1 objection no information, other than for direct care purposes, would leave their GP practice. Under a type 2 objection, no identifiable information held by the HSCIC would be passed to a third party. Both of these objections were registered on the GP's clinical system.

However, the programme was paused that same month and no data has subsequently been extracted from GP systems as part of the programme.

Last November, the care.data programme board decided that patients would only be offered a type 1 objection in the new pilot of the scheme and GPs would no longer be obliged to collect type 2 objections as part of the programme.

The HSCIC was asked to take on responsibility for dealing with any type 2 objections that were already registered with a GP.

In its letter, the ICO recognised the difficulty in being able to achieve this when no direction was issued to the HSCIC to extract any of the opt-out data from GPs.

The letter, from ICO group manager of public services Dawn Monaghan, also notes the HSCIC’s concern that the, “current type 2 opt-out code was written in such a way that, if actioned, could prevent patient data being shared for some direct care purposes such as cancer screening”.

However, it concludes that the HSCIC has not complied with the first principle of the Data Protection Act 1998 as it has: “continued to share patient data with other organisations for purposes other than direct care after patients were offered an opt-out and significant numbers of patients objected to their data being used in that way.”

“We are of the view that patients who did opt out would have a reasonable expectation that their personal data would not be included in HSCIC data releases. However, the opt-outs remain on GP practice systems and details of which patients have opted out have never been sent to HSCIC,” Monaghan says.

Rather than issue an enforcement notice, the ICO has proposed an ‘undertaking’ whereby the HSCIC commits to implement the type 2 objections by next January and inform those affected.

The HSCIC’s board papers also say distribution of health data to customers with objections upheld will start on 26 January next year.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

Patient data published online following south east London cyber attack

Patient data published online following south east London cyber attack

Cyber criminals have published patient data online which they claim was stolen as part of an attack on Synnovis, NHS England has confirmed. 
ICO guidance on transparency published for health and care sector

ICO guidance on transparency published for health and care sector

New guidance has been issued by ICO over how health and care organisations should be transparent over the use of personal information.
Ransomware group releases NHS Dumfries and Galloway patient data

Ransomware group releases NHS Dumfries and Galloway patient data

NHS Dumfries and Galloway have confirmed that patient data has been released by a ransomware group, following an earlier cyber attack on its IT systems.